PingAccess

Configuring OpenID Connect token providers

Configure OpenID Connect (OIDC) token provider settings in PingAccess.

Steps

  1. Click Settings, then go to System > Token Provider > Common > OpenID Connect.

    1. Go to Settings > System > Token Provider and select Common Token Provider.

  2. In the Issuer field, enter the OIDC provider’s issuer identifier.

  3. (Optional) In the Description field, enter a description for the token provider.

  4. To record requests to the OIDC provider to the audit store, select the Audit checkbox.

  5. If required, click Add Query Parameter and enter custom query parameter name and value pairs used by the OIDC provider.

  6. In the Trusted Certificate Group list, select the group of certificates to use when authenticating to the OIDC provider.

    PingAccess requires the certificate in use by the OIDC provider to anchor to a certificate in the associated Trusted Certificate Group.

  7. In the Private Key JWT Audience list, select how to handle the audience claim in private key JWT OAuth client authentication. Possible values include:

    Audience Endpoint (default)

    Includes the token endpoint in the audience claim to preserve backwards compatibility with PingAccess 9.0 and earlier.

    Issuer (preferred)

    Includes the issuer endpoint in the audience claim to comply with RFC 7523.

    Both

    Both the issuer and token endpoints are included in the audience claim.

  8. To configure advanced settings, click Show Advanced.

    1. To use a configured proxy, select the Use Proxy checkbox.

      If the node is’t configured with a proxy, requests are made directly to the token provider. You can find more information about creating proxies Adding proxies.

    2. Select the Use Single-Logout checkbox to enable single logout (SLO) when the /pa/oidc/logout/ endpoint receives a request to clear the cookie containing the PingAccess token.

      If you select this option, PingAccess sends a logout request to the token provider after receiving a request at the /pa/oidc/logout/ endpoint. The token provider then completes a full SLO flow.

      To use this feature, you must configure SLO on the OIDC provider.

    3. Select the Track id_token checkbox to track the id_token that the authorization server provides after authentication within the PingAccess session cookie.

      Token providers can use the id_token attribute to identify and locate a user’s session. Some token providers may require an id_token_hint parameter for SLO, but not all. For more information on this configuration, see the table entry Include id_token_hint in SLO in step 8 of Configuring admin UI SSO authentication.

      You must select Track id_token to use the id_token attribute when Creating header identity mappings. You can then use this header to pass along the id_token to other Identity mappings or Rules.

      Tracking the id_token attribute increases the PingAccess cookie’s size. This could make the cookie exceed the browser’s limit. You can find more information in Minimizing the PingAccess cookie size.

    4. Select Request Supported Scopes Only to limit the requested scopes to those advertised in the OIDC metadata.

  9. Click Save.

Next steps

After you’ve successfully configured the token provider, click View Metadata to display the metadata provided by the token provider. To update the metadata, click View Metadata > Refresh Metadata.